The focus for modelling needs to be on cash, not just solvency. Many forms of finance (such as bank lines ofcredit and insurance policies) come with covenants that mean they may not respond under stress, or at least maynot respond at the speed that nervous investors and customers require. Accordingly, for tail risks, stress-testingneeds to focus on cash availability, looking at the various sources of funding available and identifying how thesewill respond under stress. This gives an “event-absorbing capacity” (EAC), which is the scale of cash impact thata firm can reasonably absorb from one or more events occurring. Many businesses are seasonal, and such ameasure will therefore vary over time and have a “pinch point”, which should be taken as the maximum capacitygiven the risk that an event occurs through it. Quantification of risk scenarios can then be mapped against thisto determine whether additional measures are required to increase EAC. For hard-to-quantify impacts, reversestress-testing can be used – whereby you start with the more manageable question of how bad would an eventneed to be to breach the firm’s risk appetite with respect to EAC.FIGURE 6: ANALYSIS OF CASH-FLOW UNDER STRESSSTRESS TEST LOGICScenario Definitions and Levels(£millions)3,5003,000CASH-FLOW UNDER STRESSCash-Flow − Base and EACStress Tested Cash versus Risk Appetite2,5002,0001,5001,000Actions to Mitigate5000-500Reporting and Management-1,000Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15Base cash Mitigated position Cash under max stressSuch a process should be central to tail-risk management, as it brings together risk appetite, scenario-setting,and stress-testing to give a basis for the board to hold management to account on risk-taking. Cyber is just onesuch scenario to run through this process, although for many firms it will be an increasingly important one.In terms of mitigation, firms have many forms of actual and contingent capital they can draw on – cash beingthe obvious benchmark in terms of speed, cost, and certainty. Insurance can be configured to pay quickly, forexample, through the up-front claims settlement of business interruption cover or through the use of parametrictriggers (that is, linked to a pre-agreed objective metric). Similarly, firms may seek to reconfigure how they runthings in the event of a crisis to increase working capital (held as an option in the recovery plan). Ultimately,insurance is another form of contingent capital that should be modelled as part of the resources available toprovide financial capacity under stress, whether a result of cyber or some other event.As a final note, our experience suggests that under this stress-test analysis, firms may choose to shift theirinsurance programmes from covering day-to-day losses, towards covering tail events. Reflecting firms’ typicalrisk profiles, most claims are for a low level of value, making them relatively expensive to insure and of limitedpurpose beyond cash-flow smoothing. In contrast, because tail risks are unlikely they are relatively cheap toinsure, and doing so may preserve firm viability in the event of a crisis occurring. Economic measures such astotal cost of risk (TCOR) allow firms to make these trade-offs in an objective manner.16 • UK Cyber Security
5 INSURANCE SOLUTIONS FORCYBER RISKSPENETRATION OF CYBER INSURANCEDespite the existence of insurance solutions for most forms of cyber risk, our work suggests that businessleaders are often unaware that cyber is an insurable risk. In addition, recent surveys show that those businessleaders that are informed are too optimistic about the level of cover provided by the insurance they are currentlybuying. The majority (52%) of CEOs of large organisations that took part in a recent survey believe that theyhave cyber cover, whereas the reality is likely closer to 10% if we combine standalone cyber policies (at around2% penetration) and cyber cover that is embedded in other policies. Differences may be, in part, as a result ofselection bias, with those firms responding to cyber surveys more likely to be buyers of cyber cover. A similar gapapplies with SMEs, where the penetration of standalone cyber cover is negligible.FIGURE 7: DIFFERENT ESTIMATES OF CYBER INSURANCE PENETRATIONSOURCEVALUEPercentage of CEOs or CIOs of largeorganisations who believe they have insurancethat would cover them in the event of a breach.Percentage of CROs or CFOs who state that theirorganisation has bought cyber insurance.Percentage of firms with cyber cover, whether asstand-alone cover or implicit in other policies.Actual penetration of standalone cyber insuranceproducts among UK large businesses.BIS, Information Security Breaches Survey 2014 52%Marsh and Zurich cyber risk surveys 15%-20%Marsh and Zurich cyber risk surveys 10%Estimate based on policies placed/written byproject participant2%This evidence suggests a failure by insurers to communicate their value to business leaders in coping with cyberrisk. This may, in part, reflect the new and therefore uncertain nature of this risk, with boards more focusedon security improvement and recovery planning than on risk transfer. It nevertheless risks leaving insurancemarginalised from one of the key risks facing firms. As a first step to raising awareness, Lloyd’s, the ABI, and theGovernment have agreed to develop a guide to cyber insurance and to host it on their websites.The Role of Insurance in Managing and Mitigating the Risk • 17